web programming

Headers & Secure HTTP Requests

Security has and will continue to be a main consideration when hosting and developing applications for any platform. Developing web applications is certainly no exception. This post begins to aggregate certain HTTP headers that aide in this security whether it is trying to force a certain request type, avoid cross-site origin requests, and so on. Naturally a list like this is ever-growing with deprecated items along the way.


Strict-Transport-Security response header is a simple way, as MDN (Mozilla Developers Network) puts it, to inform browsers only HTTPS requests should be made to this website.

The HTTP Strict-Transport-Security response header (often abbreviated as HSTS) lets a web site tell browsers that it should only be accessed using HTTPS, instead of using HTTP.

In order to append this header with PHP add the following prior to anything other than other HTTP headers being sent to the server. Attempting to send any headers after other content will result in an error. This goes for all headers, not just this one.

  header('Strict-Transport-Security max-age=63072000; includeSubDomains; preload');

Depending on the web server being used request headers may be automatically added to each request. For example, if running Apache the HSTS header may be added to each request if the .htaccess file contains the following:

Header set Strict-Transport-Security "max-age=63072000; includeSubDomains; preload"

Leave a Reply